about summary refs log blame commit diff
path: root/ops/pipelines/static-pipeline.yaml
blob: ad887d0ff6109114adf32a3622869f7ea008093f (plain) (tree)
1
2
3
4
5
6
7




                                                                      

      









                                                                     








                                                                 
                                




                                                                             
                    
                       
              
             





                                                                                                                   


                                                                    
                                             

                      

                                                                        


                                                                               


                                                                   
                                                                 

                                               
 
                                                  
 



                                            




















                                                                         
                                                                               







                                                                                                                                       
 














                                                                            










                                                                    
                                
              
                                                                        


                            
# This file defines the static Buildkite pipeline which attempts to
# create the dynamic pipeline of all depot targets.
#
# If something fails during the creation of the pipeline, the fallback
# is executed instead which will simply report an error to Gerrit.
---
steps:
  # Run pipeline for tvl-kit when new commits arrive on canon. Since
  # it is not part of the depot build tree, this is a useful
  # verification to ensure we don't break external things (too much).
  - trigger: "tvl-kit"
    async: true
    label: ":fork:"
    branches: "refs/heads/canon"
    build:
      message: "Verification triggered by ${BUILDKITE_COMMIT}"

  # Create a revision number for the current commit for builds on
  # canon.
  #
  # This writes data back to Gerrit using the Buildkite agent
  # credentials injected through a git credentials helper.
  #
  # Revision numbers are defined as the number of commits in the
  # lineage of HEAD, following only the first parent of merges.
  - label: ":git:"
    branches: "refs/heads/canon"
    command: |
      git -c 'credential.helper=gerrit-creds' \
        push origin "HEAD:refs/r/$(git rev-list --count --first-parent HEAD)"

  # Generate & upload dynamic build steps
  - label: ":llama:"
    key: "pipeline-gen"
    command: |
      set -ue

      if test -n "$${GERRIT_CHANGE_URL-}"; then
        echo "This is a build of [cl/$$GERRIT_CHANGE_ID]($$GERRIT_CHANGE_URL) (at patchset #$$GERRIT_PATCHSET)" | \
          buildkite-agent annotate
      fi

      # Attempt to fetch a target map from a parent commit on canon,
      # except on builds of canon itself.
      [ "${BUILDKITE_BRANCH}" != "refs/heads/canon" ] && \
        nix/buildkite/fetch-parent-targets.sh

      PIPELINE_ARGS=""
      if [[ -f tmp/parent-target-map.json ]]; then
        PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json"
      fi

      nix-build -A ops.pipelines.depot -o pipeline --show-trace $$PIPELINE_ARGS

      # Steps need to be uploaded in reverse order because pipeline
      # upload prepends instead of appending.
      ls pipeline/build-chunk-*.json | tac | while read chunk; do
        buildkite-agent pipeline upload $$chunk
      done

      buildkite-agent artifact upload "pipeline/*"

  # Wait for all previous steps to complete.
  - wait: null
    continue_on_failure: true

  # Exit with success or failure depending on whether any other steps
  # failed.
  #
  # This information is checked by querying the Buildkite GraphQL API
  # and fetching the count of failed steps.
  #
  # This step must be :duck: (yes, really!) because the post-command
  # hook will inspect this name.
  #
  # Note that this step has requirements for the agent environment, which
  # are enforced in our NixOS configuration:
  #
  #  * curl and jq must be on the $PATH of build agents
  #  * besadii configuration must be readable to the build agents
  - label: ":duck:"
    key: ":duck:"
    command: |
      set -ueo pipefail

      readonly FAILED_JOBS=$(curl 'https://graphql.buildkite.com/v1' \
        --silent \
        -H "Authorization: Bearer $(cat /run/agenix/buildkite-graphql-token)" \
        -d "{\"query\": \"query BuildStatusQuery { build(uuid: \\\"$BUILDKITE_BUILD_ID\\\") { jobs(passed: false) { count } } }\"}" | \
        jq -r '.data.build.jobs.count')

      echo "$$FAILED_JOBS build jobs failed."

      if (( $$FAILED_JOBS > 0 )); then
        exit 1
      fi

  # After duck, on success, upload and run any post-build steps that
  # were output by the dynamic pipeline.
  - label: ":arrow_heading_down:"
    depends_on:
      - step: ":duck:"
        allow_failure: false
    command: |
      set -ueo pipefail

      buildkite-agent artifact download "pipeline/*" .

      find ./pipeline -name 'post-chunk-*.json' | tac | while read chunk; do
        buildkite-agent pipeline upload $$chunk
      done

  # After duck, on success, create a gcroot if the build branch is
  # canon.
  #
  # We care that this anchors *most* of the depot, in practice it's
  # unimportant if there is a build race and we get +-1 of the
  # targets.
  #
  # Unfortunately this requires a third evaluation of the graph, but
  # since it happens after :duck: it should not affect the timing of
  # status reporting back to Gerrit.
  - label: ":anchor:"
    branches: "refs/heads/canon"
    command: |
      nix-build -A ci.gcroot --out-link /nix/var/nix/gcroots/depot/canon
    depends_on:
      - step: ":duck:"
        allow_failure: false